In a recently published report, cyber-security firm Lookout has revealed that it has discovered evidence that suggests the connection between Android malware which was used to spy on minorities in mainland China, and a large government defense contractor from the Chinese city of Xi'an.

In a 52 page report, the experts at the security firm revealed a years-long hacking campaign has primarily targeted the Uyghur ethnic minority, who are the residents of western China, along with the Tibetan community. The malicious campaign was unleashed on individuals of these two communities with malware.

new cybersecurity law in china
Chinese hackers Reuters

The firm said that the campaign also allowed the hackers group to keep an eye on the activities of minority communities living in China's border areas as well as living abroad in at least 14 other countries. Lookout researchers said, "Activity of these surveillance campaigns has been observed as far back as 2013."

Chinese Hacking Group

Lookout attributed this secret surveillance to a cybercriminal group which they believe runs on behalf of the government of China. As per the report, some of the previous activities of this hacking group have been documented by other cyber-security companies.

The group of threat actors is already known in industry circles under different codenames such as APT15, GREF, Vixen Panda, Ke3chang, Mirage, and Playful Dragon. The threat actors behind APT15 attacks earlier designed malware to infect Windows operating system. As per the recent report, the cybercriminals also created an arsenal of Android hacking tools, including HenBox, PluginPhantom, Spywaller, and DarthPusher.

Lookout finding
Lookout

The experts at the security firm found four new outfits which they codenamed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, while researching on the state-backed hackers. They said the cybercriminals didn't upload the apps on the Google Play Store to distribute the malware. Instead, they used a technique called "watering hole attack," where they hacked legitimate sites and inserted malicious code into them.

The malicious code then redirected the system users to different web pages, app stores, forums, and other sites from where users were tricked to download and then install APT15 malware-infected apps.

Defense Control and Hackers

As revealed by the new report, the Lookout researchers found a command-and-control server for the GoldenEagle spyware which was left unprotected. When the researchers access the server, they collected information on malware victims and the operators who had been managing the malware campaign.

While looking through log, they noticed data from the first systems infected with GoldenEagle. When they plotted GPS coordinates obtained from those infected devices, they discovered that most of them were around one single area. To their surprise, the GPS coordinates pointed at one building hosting the offices of Xi'an Tianhe Defense Technology, which is a large defense contractor in the central China city.

 Lookout finding
Lookout

However, between 2017 and 2019, four other Chinese state-sponsored cybercriminal groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes APT3, which is linked to a company called Boyusec operating on behalf of Chinese state security officials in the province of Guangdong, and another notorious hacking group, APT10, which is found to have linked to several firms working on behalf of Chinese state security officials in the province of Tianjin.

The operators behind these two groups have been charged by the US Department of Justice in November 2017 and December 2018, respectively.